Hack Open Hotel Room Door Locks

Everytime you checkin into a hotel, you are presented with a smartcard which would become key to your Hotel Room door locks for your duration of stay. Have you ever wondered how it works?

Well, Hackers have reverse engineered the whole Door locking system and hacked it for good, revealing how incompetent some of the industry standard products are. This isn’t new. We’ve seen how you can hack Unlock an Office door.

The hack is essentially designed to exploit flaw found in Onity’s locking system. Over ten million Onity HT locks are installed in hotels worldwide, accounting for over half of all the installed hotel locks.

How the Hack Works

Warning: This hack is geekier than you might anticipate. Unless you’ve a good hold on electronics, hardware & digital circuits, there’s no point reading further.

To understand how the hack works, you would have to start by understanding the components of the Onity lock system:

Encoder: This is the device which makes the keycards, but it also stores all the property information (e.g. room listings, time tables, etc) and is used to load the portable programmer. It plays important role in adding cryptography to the card.

Lock: In our context, we’re primarily concerned with the actual circuit board that performs the locking logic for doors. There are multiple lock configurations, e.g. exterior doors and guest room doors, but we’ll be talking mostly about guest room locks.

Our area of interest for the hack is restricted to the PP and the lock.

The core strategy is to read the SiteCode from memory and then use the same code to unlock the door. But first, we need to be able to access memory of the lock, and knowledge of the location of the sitecode in memory. The good thin about the hack is that it is totally un-identifiable. When you hack open the door with the custom kit, the audit log would still show PP (card opener) having been used.

How to access Memory: The lock communication port is unauthenticated and enables direct memory access, which allows arbitrary reading of memory. Combined with basic knowledge of the system, this can allow an attacker to open doors directly, create master keys, and create programming cards for whole properties. Once we get access to the memory, hack can be performed in under a quarter of a second.

The cryptography used on these key cards is inherently flawed. The biggest flaw is with the choice the company made by using small keyspace. A simple brute-force can get the results within a matter of seconds.

We recommend the use of door chains or latches whenever possible to add an extra layer of protection. As the deadbolt on electronic locks is able to be disengaged by the lock mechanism, it provides protection only against physical attacks.